A not so smart card

How bad security decisions can ruin a debit card design

This lecture will introduce you to the the Postcard, a widely used debit card issued by FostFinance in Switzerland. As other debit cards like the "EC" card it is used for shopping payments at POS terminals or to draw money from ATMs in Switzerland and many other countries. It's widely used by its 2'000'000 users, producing a total transaction volume of around 8'000'000'000 Swiss Francs a year.

All security features of the card are described and their ineffectivness is demonstrated. It is shown how even outsiders can get access to the secret key of the card issuer, allowing them to create new, valid debit cards on their own or to clone existing card without any physical access to the original.

If the phrase "Your key is way too short" could embarass IT security officers as much as if we are referring to their private (male) body part - security would be much better off in some cases - at least in this one...